Hi Tom,
Each CTS comes with a Manufacturing Installed Cert (MIC) that is unique to each system and signed by Cisco's Certificate Authority (CA). If the customer wishes to, they may load a Locally Significant Cert (LSC). The LSC is downloaded by each CTS from the Certificate Authority Proxy Function (CAPF) service running on CallManager. The CAPF can issue two types of LSCs:
1. Signed by the CAPF server (self-signed)
2. Signed by an external CA using the PKCS#10 certificate signing request (CSR) mechanism.
See page 1-16 at http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/security/6_1_1/secugd/secugd-cm.pdf
HTH
Arun